Export and Import Users and Customers <= 2.6.2 - Authenticated (Administrator+) : Forge de Requête Côté Serveur via la fonction validate_file
Plateforme
wordpress
Composant
users-customers-import-export-for-wp-woocommerce
Corrigé dans
2.6.3
CVE-2025-1970 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Export and Import Users and Customers plugin for WordPress. This flaw allows authenticated attackers, specifically those with Administrator-level access or higher, to initiate web requests to arbitrary locations, effectively leveraging the application to query or modify internal services. The vulnerability impacts versions from 0.0.0 up to and including 2.6.2, but a patch is available in version 2.6.3.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The SSRF vulnerability in Export and Import Users and Customers allows an attacker with administrative privileges to bypass security controls and make requests to internal resources that are otherwise inaccessible from the outside. This could lead to the exposure of sensitive data stored within the internal network, such as database credentials, API keys, or configuration files. An attacker could also potentially use this vulnerability to interact with internal services, potentially leading to data modification or denial of service. The ability to query internal services makes this a significant risk, as it can be used to map the internal network and identify other potential attack vectors.
Contexte d'Exploitationtraduction en cours…
CVE-2025-1970 was publicly disclosed on 2025-03-22. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. While no active exploitation is confirmed, the SSRF nature of the vulnerability and the plugin's popularity warrant prompt mitigation.
Qui Est à Risquetraduction en cours…
WordPress websites utilizing the Export and Import Users and Customers plugin, particularly those with administrator accounts that have not been updated to version 2.6.3, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if the plugin hasn't been updated across all accounts.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/export-and-import-users-and-customers/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/export-and-import-users-and-customers/ | grep ServerChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.16% (percentile 37%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Élevé — un compte administrateur ou privilégié est requis.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 60KConnu
- Note du plugin
- 4.8
- Nécessite WordPress
- 3.0.1+
- Compatible jusqu'à
- 6.9.4
- Nécessite PHP
- 5.6+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-1970 is to immediately upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to internal IP addresses or sensitive internal endpoints. Additionally, restrict the plugin's access to internal resources by implementing stricter access controls and network segmentation. Regularly review plugin configurations and ensure that only necessary permissions are granted.
Comment corriger
Mettez à jour le plugin Export and Import Users and Customers à la version 2.6.3 ou supérieure pour atténuer la vulnérabilité de Forge de Requête Côté Serveur. Cette mise à jour corrige la fonction `validate_file()` pour prévenir les requêtes web arbitraires.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-1970 — SSRF in Export and Import Users and Customers?
CVE-2025-1970 is a Server-Side Request Forgery vulnerability in the Export and Import Users and Customers WordPress plugin, allowing attackers with admin access to make arbitrary web requests.
Am I affected by CVE-2025-1970 in Export and Import Users and Customers?
You are affected if you are using the Export and Import Users and Customers plugin in WordPress versions 0.0.0 through 2.6.2.
How do I fix CVE-2025-1970 in Export and Import Users and Customers?
Upgrade the plugin to version 2.6.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Is CVE-2025-1970 being actively exploited?
As of the current disclosure date, there are no confirmed reports of active exploitation, but prompt mitigation is still recommended.
Where can I find the official WordPress advisory for CVE-2025-1970?
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.